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(54) Method and apparatus for firmware authentication 



(57) An apparatus for firmware authentication and 
methods of operating the same result in software up- 
gradability to firmware without compromising the integ- 
rity of the firmware. The apparatus for firmware authen- 
tication of a boot PROM comprises a software program- 



mable data section having a plurality of micro-code. An 
authentication section having a hash generator config- 
ured to generatea data hash in response to the pturality 
of micro-code programmed in the software programma- 
ble data section to authorize execution of the plurality 
of micro-code of the data section. 
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Description 

The present inventk>n relates to authenticatbn of 
firmware (for example, programmed micro-code such 
as programmable micro-code written in a memory de- £ 
vice). 

Computer systems during initial power up rely on a 
sequence of instructional routines which buikJ on each 
previously executed instructiona! routine until the com- 
puter system is initialized. Microcode, also referred to u 
as fimiware or boot code, is the first level of the instruc- 
ticral routines that are executed when the computer 
system is initially powered up. The microcode stored in 
non-volatile memory devices such as a memory f C (in- 
tegrated circuit) directs the computer system to certain « 
boot blocks located on a disk drive. As these boot bkxks 
on the disk drive are executed, successively larger 
blocks of boot data are loaded until finally the operating 
system, such as an Unix or Microsoft Windows of the 
computer system is toaded. 2c 

The micro-code for the initial boot up instructions of 
a computer system is typically stored in a boot ROM 
(read only memory) or boot PROM (programmable read 
only memory). An example of a PROM is a flash PROM, 
often referred to as flash memory, fvleeds arise when the ss 
micro-code for the initial boot up instructions requires 
updating. Those computer systems having ROMs re- 
quire new ROMs. Replacing oW ROMs with newly sup- 
plied ROMs is expensive. Furthermore, the computer 
system has to be disassembled to gain access to re- 30 
place the ROMs, 

In computer systems with boot PROMs that employ 
flash technology, updating new micro-code entails ac- 
cessing the flash PROM using software and program- 
ming the flash PROM with new micrD<»de. However, ss 
because the micro<»de contained in the boot PROM is 
the first code that is executed, reasons to limit program- 
ming access to the flash PROM include: 1) inadvertent 
programming can cause the computer system become 
completely mactlve; 2) security sensitive environments 40 
require that the mwro-code be tamper-proof to prevent 
security risks. Thus, safeguards are currently in place 
to prevent modiftcatk)n of the boot PROM. 

These safeguards include using boot ROMs to store 
the micro-code or setting hardwire jumpers that prevent 4S 
software modificatkxi of boot PROMs. In order to modify 
the micro-code, boot ROMs must be replaced with new 
boot ROMs containing the updated micro-code. In the 
case of boot PROMs, user interventfon is required to 
manually switch the jumpers of the boot PROMs to en- so 
able programming access to the boot PROMs for the 
new micro-code. In either case, user intervention is re- 
quired to physically open the computer system and 
make the necessary changes. The changes range from 
the replacement of old boot ROMs with new boot ROMs ss 
to changing jumper settings of the flash boot PROM to 
enable and disable programming of th flash boot 
PROM, Thus, the safeguards requir additional time 



and effort from the users to implement modifications to 
the micro-code. The process of providing upgrades to 
the microcode programming is cumbersome and time- 
consuming. 

Therefore, it is desirable to provide an apparatus for 
authenticating firmware programmed in a boot PROM 
and methods of operating the same that enable pro- 
gramming access to the boot PROM without compro- 
mising the authenticity of the firmware that overcome 
^ the disadvantages of disassembling the computer sys- 
tem. 

yarhus respective aspects and features of the m- 
ventfon are defined in the appended claims. 

The present invention provides an apparatus for 
firmware authentication and methods for operating the 
same which result in software upgradability to firmware 
without compromising the integrity of the firmware. The 
novel application for authentication of firmware is based 
on cryptography Thus, according to one aspect of the 
invention, a boot PROM (programmable readonly mem- 
ory) having programming instructions for initiating a 
computer system is provided. A software programmable 
data sectkjn has a plurality of micro-code. An authenti- 
cation sectksn having a hash generator generates a data 
hash in response to the plurality of micro-code pro- 
grammed in the software programmable data section to 
authorize execution of the plurality of micro-code of the 
data sectkxi. 

According to another aspect of the invention, the 
software programmable data section includes a prede- 
termined digital signature, and the authentication sec- 
tion includes a predetermined public key and a decryp- 
tor whk:h provides an verificatk>n hash k\ response to 
the predetermined signature and the public key The au- 
thentication section also includes a comparator which 
compares the data hash with the verification hash to au- 
thenticate the plurality of micro-code of the software pro- 
grammable data sectk>n. If the data hash and the veri- 
fication hash do not match, a message alerts the user 
of the mismatch indicating that the micro-code is not au- 
thenticated. 

According to another aspect of the invention, the 
authentication section includes a plurality of trusted mi- 
cro-code whfch initiates executksn of the plurality of mi- 
cro-code of the software programmable data section in 
response to proper authentfcatran of the data hash. The 
proper authentication of the data hash by the authenti- 
cation sectfon of the plurality of trusted micro-code af- 
fords the plurality of micro-code programmed in the soft- 
ware programmable data section to a level of trusted 
code. Thus, the trusted code of the software program- 
mable data section can be used to authenticate another 
set of downstream code that is executed during the boot 
up sequence for the computer system. 

According to yet another aspect of the invention, the 
software programmable data sectfon includes a flash 
memory whk:h enables software reprogramming of the 
plurality of mk:ro<ode. Other programmable storage 
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mediums are also usable for the storage of the micro- 
code. The authentication section includes a ROM (read 
only memory) that provides a base line for trusted code. 

An apparatus and method for firmware authentica- 
tion are provided by authenticating the software pro- s 
grammable data section of the boot PROM with a trust- 
ed ROM section of the boot PROM. The ability to provide 
software programmability of the boot PROM affords 
ease in upgradability that saves time, effort, and energy, 
tjpgrading with newer versions of the boot PROM af- 10 
fords support for new f unctfons and eliminates bugs and 
other inconsistencies that can plague older versions of 
the boot PROM. Thus, the newer boot PROMs provide 
for a smoother and more efficient operatHig computer 
system, rs 

The invention will now be described by way of ex- 
ample with reference to the accompanying drawings, 
throughout which like parts are referred to by like refer- 
ences, and in which: 

20 

Fig. 1 illustrates a system levef block diagram of a 
computer system; 

Fig. 2 illustrates a block diagram of a flash PROM 
of the computer system in accordance with the 
present invention; 2s 
Ffg, 3 illustrates a flow diagram for generating a sig- 
nature in accordance with the present Invention; 
and 

Fig. 4 illustrates a flow diagram for authenticating 
unsecured micro-code of the programmable sec- 30 
tfon of the flash PROM. 

Embodiments of the invention will now be described 
with respect to the figures in which Fig. 1 generally 
shows a simplified computer system 10. The computer 3S 
system 10 includes a CPU (central processing unit) 12, 
display 14. hard disk 16 and a flash PROM (program- 
mable read-only memory) 18. The computer system 10 
is for illustrative purposes as many variations to the ar- 
chitecture of the computer system 1 0 are available and ^ 
known in the art. CPU bus 22 couples the CPU 12 to 
data bus 13. The CPU 12 includes a memory 15 whteh 
stores instructions and data for processing by the CPU 
12. Disk drive bus 26 couples the disk drive 16 to the 
data bus 1 3. The disk drive 1 6 provides non-volatile data ^5 
storage for the computer system 10. Data transfers oc- 
cur between the CPU 12 and the disk drive 12 as the 
data is processed by CPU 12. Display bus 24 couples 
the display 14 to the data bus 13. The display 14 re- 
ceives output data for display The display 1 4 includes so 
a keyboard 17 coupled to the display via cable 19. The 
keyboard 1 7 provkles an user interface to computer sys- 
tem 10. PflOM bus 28 couples the flash PfROM 18 to 
data bus 13. The flash PROM 18 includes initialization 
instnjctkjns for the computer system 1 0. ss 

During start-up of the computer system 10, micro- 
code instructions stored in the flash PROM 18 are exe- 
cuted. The mfcro-code instructions includ boot code 



that directs execution ol particular boot blocks ol the 
hard disk 16. Once the instructions contained in the boot 
btocks of the hard disk 16 are executed and loaded into 
the memory 15. higher level instructions and code are 
executed and loaded into memory 1 5 such as operating 
systems for Windows 95, Unix, or Macintosh based 
computers. The higher level instructions and code may 
be executed from a network sen/er. Thus, in an alterna- 
tive embodiment, computer system 10 is one of a 
number of computer systems coupled to a network. 

In a network, the computer system 10 may not In- 
clude the disk drive 16. as data transfers are through a 
network sewer. The network sen/er includes wired net- 
work connectfons, RF (radio frequency) network con- 
nectkjns. and IR (infrared) network connections. Other 
computer systems include hand hetef systems such as 
PDAs (Personal Data Assistants) and computer sys- 
tems that include micro-code to initialize the computer 
system. 

Fig. 2 illustrates a block diagram of the flash PROM 
18. The flash PROM 18 is divided into two main sec- 
tions: a authenticatk^n section 45 and a programmable 
section 55. The authentication section 45 is a ROM 
(read-only memory). The micro*code instructions con- 
tained in the authentfcation sectk>n 45 are readonly. 
The mfcrooode instructbns contained in the program- 
mable section 55 are re-writable. For example, the pro- 
grammable section 55 includes a flash memory that is 
software programmable with new micro-code. 

The authentication section 45 authentk^ates the 
programmable section 55 to verify that the micro-code 
instructions which boot the computer system 10 are 
trusted because the programmable section 55 is soft- 
ware programmable. The authentication section 45 in- 
cludes a plurality of secure mk;ro-code 51 , a comparator 
52, a hash generator 53. a decryptor 54 and a public 
key 56. The unsecured section 55 includes a digital sig- 
nature 57 and a plurality of unsecured micro-code 58. 

During initialization of the computer system 10, the 
secure micro-code 51 of the authentication section 45 
executes and directs the hash generator 53 to generate 
a data hash of the unsecured microcode 58 pro- 
grammed in the programmable section 55 of the flash 
PROM 18. The secure micro-code 51 also directs the 
decryptor 54 to calculate a verificatfon hash. The de- 
cryptor applies the public key 56 of the authentfcatk)n 
section 45 and the digital signature 57 of the program- 
mable section 55 and calculates the verification hash. 

Once the verificatfon hash and the data hash are 
generated, the micro-code 51 directs the comparator 52 
to compare the verification hash with the data hash. If 
the verificatk)n hash matches the data hash, the unse- 
cured micro-code 55 is properly verified and permitted 
to execute. If th comparison of the verif icatkan hash and 
the data hash fails, the unsecured micro-code 58 is cor- 
rupted or had been altered without proper authorization. 

Public-key cryptography verifies that the digital sig- 
nature 57 and the public key 56 decrypts loa verificatfon 
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hash which matches tho data hash of the microcode 
programmed in the programmabte section 55 of the 
flash PROM 18. The data hash generator 53 generates 
the data hash. A digital signature 57 of the programma- 
ble sectkxi 55 is provided when the programmable sec- s 
tion 55 is programmed. During authorized programming 
of the programmabfe section 55. an initial hash from the 
authorized programming micro-code Is generated. 
Next, a proper digital signature 57 is encrypted from a 
secret key and the initial hash of the authorized pro- w 
gramming microcode 58 using publrc key cryptography 
techniques. The proper digital signature 57 and the au- 
thorized programmrig mrcro-code 58 are written to the 
programmable section 55. 

The authentk:atfon section 45 of the flash PROM 1 8 is 
is inftially programmed with the secure microcode 51. 
Ihe comparator 52. the hash generator 53, the decryptor 
54, and the publk: key 56. Whenever the computer sys- 
tem 10 is initialized, the authentfcation sectk3n 45 veri- 
fies that the data hash of the unsecured micro-code 58 20 
matches the verificaticwi hash to ensure the integrity of 
the unsecured micro-code 58 and authenticate that the 
unsecured micro-code 58 had not been altered. As the 
unsecured micro-code 58 of the programmable sectfon 
55 is authentkrated, the trust level of the unsecured mi- 2S 
cfo-code 58 Is raised to a level of trusted. Thus, the au- 
thentk:atGd micro-code 58 can be used to authenticate 
other inittaiization code down stream in the start-up se- 
quence of the computer system 10. 

Fig. 3 shows a flow diagram for generating a digital 3o 
signature 57 for the mfcro-code 58. The diagram begins 
with generation of the verificaticxi hash from the mk;ro- 
code 58 in step 62. Next, the private key is obtained for 
the generation of a verificatron hash from the microcode 
58 in step 64, In step 66, the verificatksn hash is encrypt- 3S 
ed usingpublic key cryptography technkjues and the pri- 
vate key to obtain the digital signature 57. Finally, in step 
68, the digital signature 57 is programmed with the mi- 
cro-code 58 to the programmable sectk>n 55 of the flash 
PROM 18. 40 

Fig. 4 shows a ftow diagram for authenticating the 
unsecured micro-code 58 of the programmable section 
55. The diagram begins with generation of the data hash 
from the unsecured micro-code 58 contained in the pro- 
grammable section 55 in step 72. In step 73, the verifi- 4S 
cation hash is decrypted with the public key 56 con- 
tained in the authenticatton section 45 and the digital 
signature 57 contained in the progranrvnable sectkxi 55. 
Step 74 provides a comparison of the verificatbn hash 
with the data hash, (n decisksn step 75. if the verification so 
hash matches the data hash then step 77 authorizes the 
execution of the mfcro-code 58 contained in the pro- 
grammable sectton 55. If in decision step 75. the verifi- 
cation hash ctoes not match the data hash; step 78 pro- 
vides a message to the user that an error occurred dur- ss 
ing authentication of the programmable section 55 and 
offers a recovery solutwn for the us r to obtain valW mi- 
cro-code. 



A flash PROM 18 having an authenticatfon section 
45 and a programmable section 55 affords ease in up- 
dating the flash PROM 18 with new micro-code without 
compromising security. Implementing public-key cryp- 
tography having a private key and a publk; key to verify 
the programmable sectk>n 55 with the authenffcatwn 
section 45 assures that the programmable section of the 
micro-code is proper and authentfc. The integrity of the 
unsecured micro<ode 58 of the programmable section 
55 is also verified when the verificatran hash matches 
the data hash. As the trust level of the unsecured micro- 
code 58 is raised to a level of trusted, other boot data 
such as the boot bkxks of the disk drive 16 used for 
initializing the computer system 10 can be similarly au- 
thenticated using the now trusted mfcro-code 58 of the 
programmable section 55. Thus, a propagation of a se- 
ries of security checks during the boot-up sequence can 
be implemented to ensure that each sequence executes 
properly authentfcated boot code 

While the foregoing detailed description has de- 
scribed several embodiments of the apparatus and 
methods of firmware authenticatfon in accordance with 
this invention, it is to be understood that the above de- 
scriptk3n is illustrative only and not limiting of the dis- 
ckjsed invention. Obviously many modifications and 
variatfons will be apparent to the practitkwiers skilled in 
this art. Accordingly the apparatus and nrtethods of 
fimiware authentfcation has been provided which au- 
thenticates the prc^rammabte section of a flash PROM 
with a read-only section of the flash PROM by applica- 
tion of public-key cryptography By affording a program- 
mable section of the flash PROM to be software pro- 
grammable, updates to the firmware are accomplished 
without compromising the integrity of the firmware. No 
tonger are system operators required to disassemble 
computer systems to perform updates to system start- 
up firmware. 

Particular and preferred aspects of the invention are 
set out in the accompanying independent and depend- 
ent claims. Features of the dependent claims may be 
combined with those of the independent claims as ap- 
propriate and in combinations other than those explicitly 
set out in the claims. 



Claims 

1. A boot PROM (programmable read only memory) 
having programming instructkDns for initiataig a 
computer system comprising: 

a software programmable data sectfon having 
a plurality of micro-code; and 
an auth nticatkDn sectksn having a hash gener- 
ator configured to generate a data hash in re- 
spons to the plurality of micro<xxfe pro- 
grammed in the softwar programmable data 
section to authorize executk)n of the plurality of 
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micro-code of the data section. 

2- The boot PROM according to claim 1 , wherein: 

the software programmable data section in- 
cludes a predetermined signature; and 
the authentication section includes a predeter- 
mined public key and a docryptor configured to 
provide an verrfication hash in response to the 
predetermined signature and the public key. 

3. The boot PROM according to claim 2, wherein the 
authentication section includes a comparator con- 
figured to compare the data hash with the verrfica- 
tion hash to authenticate the plurality of micro-code 
of the software programmable data section. 

4. The boot PROM according to claim 2, wherein the 
predetermined signature includes an enciyptfon of 
a private key and an initial hash of a plurality of initial 
micro-code programmed to the software program- 
mable data section. 

5. The boot PROM according to claim 1 , wherein the 
authenticatk>n section includes a plurality of trusted 
microcode configured to initiate execution of the 
plurality of micro-code of the software programma- 
ble data section in response to proper authentica- 
tion of the data hash. 

6. The boc^ PROM according to claim 5. wherein the 
proper authentication of the data hash by the au- 
thentication section of the plurality of trusted micro- 
code affords the plurality of micro-code pro- 
grammed in the software programmable data sec- 
Xion to a level of trusted code. 

7. The boot PROM according to claim 1 , wherein the 
software programmable data section includes a 
flash memory configured to enable software repro- 
gramming of the plurality of micro-code. 

a The boot PROM according to claim 1 , wherein the 
authenticatkxi 6ectk>n includes a ROM (read only 
memory). 
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A method of operating a boot PROM (programma- 
ble readonly memory) having programming instruc- 
tions for iniliatinga computer system comprising the 
steps: so 

generating a data hash in response to a plural- 
ity of micro-code programmed in a software 
programmable data section; and 
authenticating the data hash in an authentica- ss 
Won section to authorize execution of the plu- 
rality of micro-code of the software programma- 
ble data section. 



10. The method of operating a boot PROM according 
to claim 9. wherein the software programmable data 
section includes a predetermined signature and the 
step of authenticating includes decrypting a verifi- 
cation hash in response to the predetermined sig- 
nature and a public key 

11. The method of operating a boot PROM according 
to claim 10. wherein the step of authenticating in- 
cludes comparing the data hash with the verification 
hash to authenticate the plurality of micro-code of 
the software programmable data section. 

12. The method of operating a boot PROM according 
to claim 10 further comprising the step encrypting a 
private key and an initial hash of a plurality of initial 
micro-code programmed to the software program- 
mable data sectbn to provk^e the predetemiined 
signature. 

13. The method of operating a boot PROM according 
to claim 9. wherein the authentication sectfon in- 
cludes a plurality of trusted micro-code further com- 
prises the step of propagatvig a level of trusted code 
to the plurality of micro-code of the software pro- 
grammable data section in response to proper au- 
thentk:ation of the data hash. 

14. The method of operating a boot PROM according 
to daim 9 wherein the software programmable data 
section includes a flash menriory further comprises 
the step of reprogramming the plurality of micro- 
code in the software programmable data section. 

15. The method of operating a boot PROM according 
to claim 9 wherein the authentk:atk3n section in- 
cludes a ROM (read only memory). 

1$. A computer initialization system having a plurality 
of mk:ro-code to initiate the computer system com- 
prising: 

a hard disk having a plurality of storage bkxks 
configured to store programming data and ini- 
tializing boot data; 

a CPU (central processing unit) coupled to the 
hard disk configured to process programing da- 
ta from the hard disk; 

a display device coupled to the CPU and the 
hard disk configured to receive display data 
from the CPU and the hard disk; and 
a boot PROM (programmable read only mem- 
ory) coupled to the hard disk having a software 
programmable data section including the plu- 
rality of mtero-code and an authentication sec- 
tion including a hash generator configured to 
generate a data hash in response to the plural- 
ity of micro-code programmed in the software 



5 



9 EP 0 816 970 A2 

programmabte lo authorize execution of the 
plurality of micro-code of the data section for 
directing the initializing boot data of the hard 
disk to execute. 

5 

17. The computer initialization system according to 
claim 16, wherein: 

the software programmable data section of the 
boot PROM includes a predetermined signa- io 
ture; and 

the authentication section of the boot PROM in- 
cludes a predetermined public key and a de- 
crj^tor configured to provide an verificatksn 
hash in response to the predetermined signa- is 
ture and the public key 

18. The canputer initialization system according to 
clahi 17, wherein the authentication sectksn in- 
cludes a comparator configured to compare the da- 20 
ta hash with the verification hash to authenticate the 
plurality of micro-code of the software programma- 
ble data section. 

19. The computer initialization system according to 2S 
claim 16, vvherein the predetermined signature in- 
cludes a encryption of a private key and an hitial 
hash of a plurality of initial micro-code programmed 

to the software programmable data sectksn, 

30 

2a The computer initializalion system according to 
claim 19. wherein the proper authentication of the 
data hash by the authentication section of the plu- 
rality of tnjsted micro-code affords the plurality of 
micro-code programmed in the software program- 3$ 
mable data section to a level of trusted code. 
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